EUVD-2026-26106CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages from local-network or tailnet hosts, polluting session state and consuming budget.
AnalysisAI
OpenClaw before version 2026.4.2 improperly trusts local-network pages in its iOS A2UI bridge, allowing attackers to inject unauthorized agent.request commands by serving malicious content from local-network or tailnet hosts. This can pollute session state and consume user budget without authentication, though exploitation requires user interaction and proximity to the target network.
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and
Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint
Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap cor
Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application
WebKitGTK and WPE WebKit contain an API design flaw that allows untrusted web content to bypass the WebPage::send-reques
Share
External POC / Exploit Code
Leaving vuln.today